aru Posted July 31, 2003 Report Share Posted July 31, 2003 MandrakeSoft Security Advisory MDKSA-2003:080 : wu-ftpd July 31st, 2003 Updated wu-ftpd packages fix remote root vulnerability A vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters. wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are encouraged to upgrade to these patched packages. The released versions of Mandrake GNU/Linux affected are: Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:080 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0466 Posted automatically by aru (mdksec2mub v0.0.6) Link to comment Share on other sites More sharing options...
Recommended Posts